PotSolutions Case Studies › Config365

Case Study · Product

Config365

PotSolutions fully designed and built Config365 — an open-source GitOps orchestration platform for Microsoft 365. Deploy tenant configs, detect drift, enforce compliance, and manage unlimited clients from a single self-hosted container with a full management portal.

PotSolutions Product Microsoft 365 GitOps Open Source Multi-Tenant MSP

The Challenge

M365 at Scale Is Still Manual

MSPs and internal IT teams managing multiple Microsoft 365 tenants face the same operational pain: PowerShell scripts on laptops, configuration drift between clients, no audit trail, and risky one-click applies with no preview.

Conditional Access, Intune policies, Defender settings, sensitivity labels, groups, and app registrations each live in different admin surfaces. A shared baseline that works across tenants breaks the moment group IDs differ. Client-specific exceptions get overwritten on the next deploy. Backups are ad hoc — if they exist at all.

PotSolutions set out to build a purpose-built system: define everything as JSON in Git, preview every change before it lands, require human approval, back up automatically, and run it all from a browser — without third-party SaaS touching tenant credentials.

The Solution

GitOps for Microsoft 365

Config365 treats M365 tenant configuration like infrastructure-as-code — versioned, reviewable, and repeatable across every client you manage.

Core deployment loop

  • WhatIf preview — every run starts with a mandatory diff showing exactly what will be created, updated, or deleted.
  • Approval gate — a human reviews the WhatIf report in the portal; no change reaches a tenant without sign-off.
  • Apply — Microsoft Graph, Exchange, Security & Compliance, and SharePoint PowerShell deploy groups, policies, Intune configs, sensitivity labels, Teams settings, and more — with detailed per-item feedback.
  • Automated backup — the full tenant configuration is exported to Git immediately after deploy, and again nightly at 2 AM UTC.
Git repository (baseline JSON + per-tenant assignments) │ ▼ Gitea Actions — trigger pipeline run │ ▼ WhatIf — diff against live tenant (create / update / delete) │ ▼ Approval gate — review in CONFIG365 portal │ ▼ Apply — Graph + EXO + SCC + SPO PowerShell │ ▼ Backup — export full tenant config → commit to Git Groups first: {{GROUP:name}} templates resolve to IDs at deploy time Protection: CONFIG365:IGNORE on resources · .baseline-ignore per tenant Runtime: single OCI container — portal + Gitea + runner bundled

What We Built

Platform & Portal

PotSolutions delivered the full stack — deployment engine, Git integration, management portal, and enterprise baseline — as a single self-hosted product.

Management portal

  • Tenant dashboard — multi-tenant overview with pipeline status, last backup time, and one-click deploy or approve.
  • WhatIf viewer — review every create, update, and delete before it applies; approve or reject with full diff visibility.
  • Policy & baseline viewer — browse backed-up tenant config, compare against the shared baseline, and promote changes.
  • Timeline — full deployment history with per-commit diffs; restore any resource to a previous state from the UI.
  • App deployment — Win32 apps from Chocolatey or WinGet, mobile apps via Intune, and Enterprise App registrations — all from JSON in Git.
  • Maintenance tasks — scheduled operations: group splits, Exchange font defaults, GAL visibility, Intune device renaming.

Built for MSPs

  • One baseline repository, deploy to unlimited tenants with separate assignments per client.
  • GCC High support — same workflows and baselines, pointed at Government Cloud endpoints.
  • Per-client flexibility.baseline-ignore opts specific policies out without touching the shared baseline.
  • Resource protection — any M365 resource tagged CONFIG365:IGNORE is skipped on deploy.
  • Baseline policy groups — segment baseline files and restrict deployment to member tenants only.
  • No local tools — MSP staff need only a browser; no PowerShell modules or local setup.

Enterprise baseline included

A complete, opinionated M365 configuration ships with Config365 — Conditional Access, Intune, Defender, identity policies, and more. Phish-resistant and Zero Trust out of the box. The same baseline powers PotSolutions’ own Modern Workplace & Enterprise Security engagements and customer deployments at scale.

Technology

What We Used

Platform

Microsoft Graph API Exchange Online PowerShell Security & Compliance Center SharePoint Online Microsoft Intune Entra ID Microsoft Defender

Product & DevOps

Gitea + Gitea Actions GitOps / JSON-as-config OCI container Azure Container Apps Azure App Service Self-hosted GCC High Open Source

The Result

A Product Built to Ship

Config365 is in private preview ahead of its open-source release — already powering real MSP and enterprise M365 deployments designed and built entirely by PotSolutions.

100%
Developed by PotSolutions
1
Container — portal + Git + runner
Tenants per instance
Daily
Automated Git backups
Every M365 change previewed, approved, applied, and backed up — with a full audit trail in Git history
One shared baseline deploys consistently across unlimited tenants — with per-client opt-outs and assignments
Minimal attack surface — self-hosted container; no third-party SaaS ever touches tenant credentials
Full management portal — tenants, deployments, diffs, backups, and maintenance from the browser
Clear per-policy feedback — know exactly what changed, what failed, and why; no cryptic DSC errors
Point-in-time restore from nightly backups — roll back any resource to any date in Git history

Explore Config365

Open Source M365 Orchestration

Config365 is entering open-source preview. Join the waitlist to get early access, or talk to PotSolutions about managed M365 baselines and deployments powered by the platform we built.

Visit config365.io Talk to PotSolutions
Theme